Unpatched IE security holes
Why this page ?
This page is a list of vulnerabilities that remain unpatched, it is our hope that the increased awareness brought forth may help further the research necessary to properly secure them.
Vulnerabilities listed on this page work (among others) with the latest versions of Internet Explorer, with all patches installed.
Until proper patches have been provided, the only fix to some of these vulnerabilities is to disable scripting.
This page is, and always will be, a work in progress. This is not a definitive list of vulnerabilities.
Miscellaneous news
11 September 2003: There are currently 31 unpatched vulnerabilities.
The latest cumulative Internet Explorer patch
is released August 20, 2003 with the identifier MS03-032.
Cumulative patches combine all previous IE patches, and should be considered mandatory installs.
11 September 2003: Added Media bar ressource injection by jelmer
10 September 2003: Added file-protocol proxy by Liu Die Yu
10 September 2003: Added NavigateAndFind protocol history by Liu Die Yu
10 September 2003: Added window.open search injection by Liu Die Yu
10 September 2003: Added NavigateAndFind file proxy by Liu Die Yu
10 September 2003: Added Timed history injection by Liu Die Yu
10 September 2003: Added history.back method caching by Liu Die Yu
10 September 2003: Added Click hijacking by Liu Die Yu
9 September 2003: Re-added Re-evaluating HTML elavation
26 August 2003: Added ADODB.Stream local file writing by jelmer
20 August 2003: Changed latest cumulative IE patch link, MS03-032 released
5 August 2003: Added Notepad popups by Richard M. Smith
4 August 2003: Added protocol control chars by badWebMasters
Older news...
Unpatched vulnerabilities
Media bar ressource injection
Description: Arbitrary file download and execution, by ability to load ressource files in a window object
Reference:
http://lists.netsys.com/pipermail/full-disclosure/2003-September/009917.html
Exploit:
http://ip3e83566f.speed.planet.nl/hacked-by-chinese/5.htm
file-protocol proxy
Description: cross-domain scripting, cookie/data/identity theft, command execution
Reference:
http://safecenter.net/liudieyu/WsOpenFileJPU/WsOpenFileJPU-Content.HTM
Exploit:
http://safecenter.net/liudieyu/WsOpenFileJPU/WsOpenFileJPU-MyPage.HTM
NavigateAndFind protocol history
Description: cross-domain scripting, cookie/data/identity theft, command execution
Reference:
http://safecenter.net/liudieyu/NAFjpuInHistory/NAFjpuInHistory-Content.HTM
Exploit:
http://safecenter.net/liudieyu/NAFjpuInHistory/NAFjpuInHistory-MyPage.HTM
window.open search injection
Description: cross-domain scripting, cookie/data/identity theft, command execution
Reference:
http://safecenter.net/liudieyu/WsFakeSrc/WsFakeSrc-Content.HTM
Exploit:
http://safecenter.net/liudieyu/WsFakeSrc/WsFakeSrc-MyPage.htm
NavigateAndFind file proxy
Description: cross-domain scripting, cookie/data/identity theft, command execution
Reference:
http://safecenter.net/liudieyu/NAFfileJPU/NAFfileJPU-Content.HTM
Exploit:
http://safecenter.net/liudieyu/NAFfileJPU/NAFfileJPU-MyPage.htm
Timed history injection
Description: cross-domain scripting, cookie/data/identity theft, command execution
Reference:
http://safecenter.net/liudieyu/BackMyParent2/BackMyParent2-Content.HTM
Exploit:
http://www.safecenter.net/liudieyu/BackMyParent2/BackMyParent2-MyPage.HTM
history.back method caching
Description: cross-domain scripting, cookie/data/identity theft, command execution
Reference:
http://safecenter.net/liudieyu/RefBack/RefBack-Content.HTM
Exploit:
http://www.safecenter.net/liudieyu/RefBack/RefBack-MyPage.HTM
Click hijacking
Description: Pointing IE mouse events at non-IE/system windows
Reference:
http://safecenter.net/liudieyu/HijackClick/HijackClick-Content.HTM
Exploit:
http://safecenter.net/liudieyu/HijackClick/HijackClick2-MyPage.HTM
Re-evaluating HTML elavation dataSrc command execution
Description: Allows execution of arbitrary commands in Local Zones
Detail: This bug is related to the codebase local path bug, but details the actual issue and runs without scripting or ActiveX enabled
Published: February 28th 2002
Reference:
http://security.greymagic.com/adv/gm001-ie/
Example exploit:
http://security.greymagic.com/adv/gm001-ie/advbind.asp
Note: See 6th May 2003 Notes.
Notes September 2003:
Renamed and re-added, symptom fixed instead of problem. Now demonstrates how to reach HTA functionality.
Reference:
http://msgs.securepoint.com/cgi-bin/get/bugtraq0309/83.html
Example exploit:
http://www.malware.com/badnews.html
Example exploit without scripting:
http://www.malware.com/greymagic.html
Temporary workaround: Change the mime-type application/hta to something else
ADODB.Stream local file writing
Description: Planting arbitrary files on the local file system
Exploit:
http://ip3e83566f.speed.planet.nl/eeye.html (but unrelated to the EEye exploit)
Notepad popups
Description: Opening popup windows without scripting
Reference:
http://computerbytesman.com/security/notepadpopups.htm
Followup:
http://msgs.securepoint.com/cgi-bin/get/bugtraq0308/55.html
Note: This is just an example of the problem, this entry will be replaced when more material is published
protocol control chars
Description: Circumventing content filters
Reference:
http://badwebmasters.net/advisory/012/
Exploit:
http://badwebmasters.net/advisory/012/test2.asp
WMP local file bounce
Description: Switching security zone, arbitrary command execution, automatic email-borne command execution
Reference:
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0307&L=ntbugtraq&F=P&S=&P=6783
Exploit: http://www.malware.com/once.again!.html
HTTP error handler Local Zone XSS
Description: HTML/Script injection in the Local Zone
Reference:
http://sec.greymagic.com/adv/gm014-ie/
Exploit:
http://sec.greymagic.com/adv/gm014-ie/
XSS in Unparsable XML Files
Description: Cross-Site Scripting on any site hosting files that can be misrendered in MSXML
Reference:
http://sec.greymagic.com/adv/gm013-ie/
Exploit:
http://sec.greymagic.com/adv/gm013-ie/
Alexa Related Privacy Disclosure
Description: Unintended disclosure of private information when using the Related feature
Reference:
http://www.secunia.com/advisories/8955/
Reference:
http://www.imilly.com/alexa.htm
Basic Authentication URL spoofing
Description: Spoofing the URL displayed in the Address bar
Reference:
http://msgs.securepoint.com/cgi-bin/get/bugtraq0306/15.html
DNSError folder disclosure
Description: Gaining access to local security zones
Reference:
http://msgs.securepoint.com/cgi-bin/get/bugtraq0306/52.html
mhtml wecerr CAB flip
Description: Delivery and installation of an executable
Reference:
http://msgs.securepoint.com/cgi-bin/get/bugtraq0305/48.html
WebFolder data Injection
Description: Injecting arbitrary data in the My Computer zone
Reference:
http://msgs.securepoint.com/cgi-bin/get/bugtraq0305/13.html
codebase local path
Description: Allows execution of arbitrary commands in Local Zones
Hinted: June 25th 2000 by Dildog
Reference:
http://online.securityfocus.com/archive/1/66869
Hinted: November 23rd 2000 by Georgi Guninski
Reference:
http://www.guninski.com/parsedat-desc.html
Published: January 10th 2002, by thePull (incorrectly labeled the "Popup object" vulnerability)
Reference:
http://home.austin.rr.com/wiredgoddess/thepull/advisory4.html
Example exploit:
http://home.austin.rr.com/wiredgoddess/thepull/funRun.html
Note: See 6th May 2003 Notes.
Web Archive buffer overflow
Description: Possible automated code execution.
Reference:
http://msgs.securepoint.com/cgi-bin/get/bugtraq0303/107.html
dragDrop invocation
Description: Arbitrary local file reading through native Windows dragDrop invocation.
Reference:
http://msgs.securepoint.com/cgi-bin/get/bugtraq0302/12.html
Exploit:
http://kuperus.xs4all.nl/security/ie/xfiles.htm
document.domain parent DNS resolver
Description: Improper duality check leading to firewall breach
Published: July 29 2002
Reference:
http://online.securityfocus.com/archive/1/284908/2002-07-27/2002-08-02/0
FTP Folder View XSS
Description: Elevating privileges, running script in the My Computer zone, arbitrary command execution, etc.
Published: June 7th 2002 (Microsoft was notified December 21st 2001.)
Reference:
http://www.geocities.co.jp/SiliconValley/1667/advisory02e.html
Exploit:
http://jscript.dk/Jumper/xploit/ftpfolderview.html
DynSrc Local File detection
Description: Detect if a local file exists, and read its size/date
Published: March 27th 2002
Reference:
http://security.greymagic.com/adv/gm003-ie/
Status: Patched in IE6 by IE6 Service Pack 1, but IE5 and 5.5 are still vulnerable.
Security zone transfer
Description: Automatically opening IE + Executing attachments
Published: March 22nd 2002
Reference:
http://security.greymagic.com/adv/gm002-ie/
Extended HTML Form Attack
Description: Cross Site Scripting through non-HTTP ports, stealing cookies, etc.
Published: February 6th 2002
Reference:
http://eyeonsecurity.org/advisories/multple-web-browsers-vulnerable-to-extended-form-attack.htm
"script src" local file enumeration
Description: Enables a malicious programmer to detect if a local file exists.
Published: January 3rd 2002
Reference:
http://www.securityfocus.com/bid/3779
Example exploit:
http://jscript.dk/Jumper/xploit/scriptsrc.html
IE https certificate attack
Description: Undetected SSL man-in-the-middle attacks, decrypting SSL-encrypted traffic in realtime
Published: December 22 2001 ( Stefan Esser )
Published: June 6 2000 ( ACROS )
Reference:
http://security.e-matters.de/advisories/012001.html
Example exploit:
http://suspekt.org/
Status: Initially fixed in IE4 and early IE5s by MS00-039, re-introduced by a later patch.
